The EU's General Data Protection Regulation went into full effect on May 25, 2018. For the first time, it began requiring all organizations that suffer a data breach that put Europeans' personal data at risk to notify relevant authorities.

The Information Commissioner's Office, which enforces GDPR in the U.K., says that from May 25, 2018, until the beginning of this month, it received 14,072 data breach reports, compared to receiving just 3,311 from April 2017 through April 2018.

The increase in data breach notification is a result of mandatory reporting driving better visibility, security experts say. Before last May, most organizations faced no legal obligation to publicly disclose a data breach. Now, however, they do, which means that more data breach discoveries have been coming to light.

Meanwhile, information security experts have told Information Security Media Group that they don't think the frequency of data breaches has increased or decreased significantly since GDPR went into full effect.

"I don't think it's dramatically changed the number or volume of breaches that we've been seeing," Paul Chichester, operations director at Britain's National Cyber Security Center - the public-face arm of intelligence agency GCHQ - told ISMG at a press conference held during the NCSC's recent CyberUK conference in Glasgow, Scotland (see: Cybersecurity Drives Intelligence Agencies in From the Cold).

UK Privacy Complaints Double

Under article 77 of GDPR - "Right to complain to a supervisory authority" - Europeans can file complaints with regulators about organizations' data protection practices, as they were also able to do before enactment of the new regulation.

From May 25, 2018 until the beginning of this month, the ICO received 41,054 data protection complaints, up from 21,000 in the period spanning April 2017 through April 2018.

An ICO spokesman tells ISMG that most of the complaints concerned "subject access requests, disclosure of data, right to prevent processing, security and data inaccuracy."

EU Privacy Board Tracks Increases

The figures issued by the ICO follow European privacy authorities earlier this month releasing a report into the first nine months of GDPR going into full effect

The European Data Protection Board says its report represents the "first overview on the implementation of the GDPR and the roles and means of the national supervisory authorities," or SAs.

The EDPB report says that from May 25 of last year until Feb. 18, SAs received 64,684 data breach notifications as well as 94,622 complaints. "Of these cases, 52 percent have been closed and 1 percent are the subject of lawsuits before national courts."

The Brussels-based EDPB is an independent European body, created as part of GPDR, which went live on the same day as the start of the regulation's enforcement. The EDPB's mandate is to ensure that data protection rules get applied consistently throughout the EU, as well as encourage the EU's data protection authorities to cooperate (see: GDPR: Europe Counts 65,000 Data Breach Notifications So Far).

Public awareness of data protection rights is at an all-time high. This can be seen in the sharp increase of cases logged by the EEA supervisory authorities. Since May 25th, over 144.000 queries & complaints and over 89.000 data breaches have been logged. #1yearGDPRpic.twitter.com/VhZVzzJDYR

The EDPB reports that SAs appear to be applying GDPR consistently across member states, backed by extensive cooperation among privacy authorities as well as a dedicated IT system that enables them all to log and track cases.

"From May 25, 2018, to February 18, 2019, no dispute resolutions were initiated," the board's report reads. "This means that up to now, the SAs were able to reach consensus in all current cases, which is a good sign in terms of cooperation."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.